# -*- makefile -*-
# Pluto Makefile - calculate -D options from Makefile options
# Copyright (C) 2005-2008 Michael Richardson <mcr@xelerance.com>
# Copyright (C) 2008-2009 Paul Wouters <paul@xelerance.com>
# Copyright (C) 2008-2009 David McCullough <david_mccullough@securecomputing.com>
# Copyright (C) 2009  Avesh Agarwal <avagarwa@redhat.com>
#
# This program is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at your
# option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
# or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
# for more details.

# All of the USE_ and HAVE_ variables are controlled from openswan/Makefile.inc

# XXX remove me.
DYNAMICDNSDEF=-DDYNAMICDNS

ifeq ($(USE_LDAP),true)
# Everyone (should) be using LDAPv3, however LDAP_VERSION=2 is an option
# if you require LDAPv2
LDAP_VERSION=3
endif

# whether or not to enable aggressive mode exchanges.
ifeq ($(USE_AGGRESSIVE),true)
AGGRESSIVE=1
endif

ifeq ($(USE_XAUTH),true)
XAUTH=1
# compile with PAM support will increase the size of the distribution
# and thus it may not be the best solution for embeded systems. XAUTH
# will use MD5/DES crypt() lib and a password file by default.
ifeq ($(USE_XAUTHPAM),true)
XAUTH_USEPAM=1
endif
endif

# -O on Linux makes gcc coredump when compiling sha1.c
# -Wundef is nice but RHL5.2 compiler doesn't support it
CFLAGS +=-g -Wall -W -Wmissing-prototypes -Wpointer-arith -Wbad-function-cast \
	-Wcast-qual -Wmissing-declarations -Wwrite-strings \
	-Wstrict-prototypes # -Wundef

ifeq ($(HAVE_OCF),true)
CFLAGS += -DHAVE_OCF
endif

# where to find klips headers and Openswan headers
# and 2.6 kernel's <rtnetlink.h> and <xfrm.h>
HDRDIRS = -I${OPENSWANSRCDIR}/programs/pluto/linux26
HDRDIRS+= -I${OPENSWANSRCDIR}/include/pluto -I${OPENSWANSRCDIR}/include
HDRDIRS+= -I$(OPENSWANSRCDIR)/lib/libcrypto -I$(KLIPSINC)

# BYTE_ORDER = -DBIG_ENDIAN=4321 -DLITTLE_ENDIAN=1234 -DBYTE_ORDER=BIG_ENDIAN
# BYTE_ORDER = -DBIG_ENDIAN=4321 -DLITTLE_ENDIAN=1234 -DBYTE_ORDER=LITTLE_ENDIAN

# -DKLIPS enables interface to Kernel LINUX IPsec code
# -DNETKEY enables interface to Kernel NETKEY/XFRM IPsec code
# -DDEBUG enables debugging code, allowing for debugging output
#    (note that output must also be selected at runtime, so it is
#    reasonable to always define this)
# -DPLUTO_SENDS_VENDORID enables pluto to send out a VendorID payload.
#    this can be used by remote nodes to work around faults (bugs),
#    but is most useful to humans who are debugging things.
# -DLEAK_DETECTIVE enables crude code to find memory allocation leaks.
# -DOLD_RESOLVER.  At some point, the resolver interface changed.
#    This macro enables Pluto support for the old interface.
#    It is automatically defined, based on the value of the <resolver.h>
#    macro __RES.  We don't know the correct threshold, so you may
#    find that you must manually define this.  If so, please inform
#    us so that we can refine the threshold.

# The following are best left undefined -- each can be overridden at runtime
# if need be.
# -DPORT=n sets the default UDP port for IKE messages (otherwise 500)
# -DSHARED_SECRETS_FILE=string overrides /etc/ipsec.secrets as the
#    default name of the file containing secrets used to authenticate other
#    IKE daemons.  In the Makefile, two levels of quoting are needed:
#    -DSHARED_SECRETS_FILE='"/etc/ipsec.secrets"'
# -DDEFAULT_CTLBASE=string overrides /var/run/pluto as default directory
#    and basename for pluto's lockfile (.pid) and control socket (.ctl).
#    Double quoting may be needed.


IPSECPOLICY_DIST_SRCS=rcv_info.c
ifeq ($(USE_IPSECPOLICY),true)
IPSECPOLICY_SRCS=${IPSECPOLICY_DIST_SRCS}
IPSECPOLICY_DEFINES=-DIPSECPOLICY
IPSECPOLICY_LIBS=$(POLICYLIB)
IPSECPOLICY_OBJS=rcv_info.o
endif

ifeq ($(USE_VENDORID),true)
VENDORID=-DPLUTO_SENDS_VENDORID
endif

ifeq ($(USE_KEYRR),true)
KEYRR_DEFINES=-DUSE_KEYRR
endif

ifeq ($(USE_PFKEYv2),true)
PFKEYv2_DIST_SRC=kernel_pfkey.c kernel_pfkey.h
PFKEYv2_OBJS=kernel_pfkey.o
else
PFKEYv2_DIST_SRC=
PFKEYv2_OBJS=
endif

NETKEY_DIST_SRCS=kernel_netlink.c kernel_netlink.h
ifeq ($(USE_NETKEY),true)
NETKEY_DEFS=-DNETKEY_SUPPORT -DKERNEL26_HAS_KAME_DUPLICATES -DPFKEY
NETKEY_SRCS=${NETKEY_DIST_SRCS}
NETKEY_OBJS=kernel_netlink.o
endif

KLIPS_DIST_SRCS=kernel_klips.c
ifeq ($(USE_KLIPS),true)
KLIPS_SRCS=${KLIPS_DIST_SRCS}
KLIPS_DEFS=-DKLIPS -DHAVE_UDPFROMTO -DPFKEY
KLIPS_OBJS=kernel_klips.o
endif

MAST_DIST_SRCS=kernel_mast.c
ifeq ($(USE_MAST),true)
MAST_SRCS=${MAST_DIST_SRCS}
MAST_DEFS=-DKLIPS_MAST
MAST_OBJS=kernel_mast.o
endif

WIN2K_DIST_SRCS=kernel_win2k.c
ifeq ($(USE_WIN2K_NATIVE),true)
WIN2K_SRCS=${WIN2K_DIST_SRCS}
WIN2K_DEFS=-DWIN2K_NATIVE_IPSEC
WIN2K_OBJS=kernel_win2k.o
endif

BSDKAME_DIST_SRCS=kernel_bsdkame.c
ifeq ($(USE_BSDKAME),true)
BSDKAME_SRCS=${BSDKAME_DIST_SRCS}
BSDKAME_DEFS=-DBSD_KAME
BSDKAME_OBJS=kernel_bsdkame.o
BSDKAME_LIBS=${LIBBSDPFKEY}
endif


# the files are defined here so that TAGS: can catch them.
#
X509_DIST_OBJS=ac.o x509.o x509keys.o
X509_DIST_SRCS=${X509_DIST_OBJS:.o=.c}
X509_DIST_SRCS+=fetch.h
HAVE_THREADS_DIST_OBJS=fetch.o
HAVE_THREADS_DIST_SRCS=${HAVE_THREADS_DIST_OBJS:.o=.c}
X509_OBJS=${X509_DIST_OBJS}
X509_SRCS=${X509_DIST_SRCS}
X509_DEFS=-DX509_PLUTO
X509_LIBS= ${LIBOSWKEYS} ${CRYPTOLIBS}
LIBSWHACK+=${LIBOSWKEYS} ${CRYPTOLIBS}


# dynamic LDAP CRL fetching requires OpenLDAP library
ifeq ($(USE_LDAP),true)
X509_LLIBS+= -lldap -llber
PLUTOMINUSL+= -llber
ifdef LDAP_VERSION
X509_DEFS+= -DLDAP_VER=$(LDAP_VERSION)
endif
endif

ifeq ($(HAVE_THREADS),true)
HAVE_THREADS_DEFS=-DHAVE_THREADS
HAVE_THREADS_OBJS=${HAVE_THREADS_DIST_OBJS}
HAVE_THREADS_SRCS=${HAVE_THREADS_DIST_SRCS}
HAVE_THREADS_LLIBS=-lpthread
endif

ifeq ($(HAVE_OPENSSL),true)
OPENSSL_LIBS=-lcrypto
endif

ifeq ($(HAVE_STATSD),true)
HAVE_STATSD_DEFS=-DHAVE_STATSD
endif

ifeq ($(USE_IPSEC_CONNECTION_LIMIT),true)
IPSEC_CONNECTION_LIMIT_DEFS=-DIPSEC_CONNECTION_LIMIT=$(IPSEC_CONNECTION_LIMIT)
endif

XAUTH_DIST_SRCS=xauth.c xauth.h
XAUTH_DIST_OBJS=xauth.o
ifeq ($(USE_XAUTH),true)
# This compile option activates xauth code and modecfg needed by xauth
XAUTH_DEFS=-DXAUTH -DMODECFG -DMODECFG_DNSWINS
XAUTH_OBJS=${XAUTH_DIST_OBJS}
XAUTH_SRCS=${XAUTH_DIST_SRCS}
ifneq ($(BUILDENV), darwin)
XAUTH_LLIBS=-lcrypt
endif
# if we use pam for password checking then add it too
ifeq ($(USE_XAUTHPAM),true)
XAUTHPAM_DEFS=-DXAUTH_USEPAM
XAUTHPAM_LIBS=-lpam -ldl
endif
endif

AGGRESSIVE_DIST_OBJS=ikev1_aggr.o
AGGRESSIVE_DIST_SRCS=${AGGRESSIVE_DIST_OBJS:.o=.c}
ifeq ($(USE_AGGRESSIVE),true)
# This compile option activates xauth code and modecfg needed by xauth
AGGRESSIVE_DEFS=-DAGGRESSIVE
AGGRESSIVE_OBJS=${AGGRESSIVE_DIST_OBJS}
AGGRESSIVE_SRCS=${AGGRESSIVE_DIST_SRCS}
endif

ifeq ($(USE_NAT_TRAVERSAL),true)
NAT_DEFS=-DNAT_TRAVERSAL
endif

ifeq ($(USE_NAT_TRAVERSAL_TRANSPORT_MODE),true)
NAT_DEFS+=-DI_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT
endif

ifeq ($(USE_LIBCURL),true)
# This compile option activates dynamic URL fetching
# with libcurl in the source code
CURL_DEFS=-DLIBCURL
CURL_LLIBS=-lcurl
endif

ifeq ($(USE_WEAKSTUFF),true)
WEAK_DEFS=-DUSE_VERYWEAK_DH1=1
ifeq ($(USE_NOCRYPTO),true)
WEAK_DEFS+=-DUSE_1DES
endif
endif

ifeq ($(USE_EXTRACRYPTO),true)
EXTRA_CRYPTO_DEFS=-DUSE_TWOFISH -DUSE_BLOWFISH -DUSE_SERPENT
EXTRA_CRYPTO_SRCS=ike_alg_blowfish.c ike_alg_twofish.c ike_alg_serpent.c
EXTRA_CRYPTO_OBJS=ike_alg_blowfish.o ike_alg_twofish.o ike_alg_serpent.o
EXTRA_CRYPTO_LIBS=$(LIBBLOWFISH) $(LIBTWOFISH) $(LIBSERPENT)
endif


ifeq ($(USE_SINGLE_CONF_DIR),true)
SINGLE_CONF_DIR=-DSINGLE_CONF_DIR
endif

ifeq ($(USE_LEAK_DETECTIVE),true)
LEAK_CONF=-DLEAK_DETECTIVE

ifeq ($(USE_ONGOING_LEAK_DETECTIVE),true)
LEAK_CONF+=-DONGOING_LEAK_DETECTIVE
endif
endif

ifeq ($(USE_TAPROOM),true)
LIBTPM=tpm/libtpm.a
TPM_LIBS=${LIBTPM} ${TCLLIB}
TPM_DEFS=-DTPM ${TCLINC}
endif

DEFINES = $(EXTRA_DEFINES) \
	$(IPSECPOLICY_DEFINES) ${VENDORID} \
	$(KEYRR_DEFINES) \
	$(BYTE_ORDER) \
	$(DYNAMICDNSDEF) \
	$(NETKEY_DEFS) \
	$(X509_DEFS) \
	${EXTRA_CRYPTO_DEFS} \
	$(HAVE_THREADS_DEFS) \
	-DPLUTO \
	${KLIPS_DEFS} ${WIN2K_DEFS} ${TPM_DEFS} ${MAST_DEFS} ${BSDKAME_DEFS} \
	-DBUILDER=\"${BUILDER}\" \
	-DDEBUG \
	-DUSE_AES -DUSE_3DES -DUSE_SHA2 \
	-DIKE_ALG -DKERNEL_ALG -DIKEV1 \
	${AGGRESSIVE_DEFS} \
	${XAUTH_DEFS} ${XAUTHPAM_DEFS} \
	${NAT_DEFS} ${CURL_DEFS}\
	${WEAK_DEFS} \
	${SINGLE_CONF_DIR} \
	${HAVE_STATSD_DEFS} \
	${IPSEC_CONNECTION_LIMIT_DEFS} \
        ${LEAK_CONF} # -DLEAK_DETECTIVE now handled via USE_LEAK_DETECTIVE in Makefile.inc


# libefence is a free memory allocation debugger
# Solaris 2 needs -lsocket -lnsl
LIBSPLUTO =$(OBJSGCRYPT)
LIBSPLUTO+=$(LIBOSWCRYPTO)
LIBSPLUTO+=$(LIBDESLITE) $(LIBAES) ${LIBOPENSWAN} ${LIBPLUTO}
LIBSPLUTO+=${LIBSHA1} ${LIBMD5}
LIBSPLUTO+=$(IPSECPOLICY_LIBS) $(X509_LIBS)
LIBSPLUTO+=$(HAVE_THREADS_LIBS)
LIBSPLUTO+=${CURL_LIBS} ${TPM_LIBS}
LIBSPLUTO+=${EXTRA_CRYPTO_LIBS} $(LIBSHA2)
LIBSPLUTO+=${WHACKLIB} ${PLUTOLIB} ${BSDKAME_LIBS}
PLUTOMINUSL+= ${X509_LLIBS} ${CURL_LLIBS} ${TPM_LLIBS} ${HAVE_THREADS_LLIBS}
PLUTOMINUSL+= ${XAUTH_LLIBS} ${XAUTHPAM_LIBS}
PLUTOMINUSL+= ${OPENSSL_LIBS} ${LIBCRYPT} ${LIBGMP} -lresolv #-lefence

# Solaris needs -lsocket -lnsl
LIBSWHACK+= ${WHACKLIB} ${LIBOPENSWAN} ${LIBOSWLOG}  ${LIBOPENSWAN}

# NSS things
DEFINES+=${NSS_FLAGS}    ${FIPS_FLAGS}
PLUTOMINUSL+=${NSS_LIBS} ${FIPS_LIBS}
HDRDIRS+=${NSS_HDRDIRS}  ${FIPS_HDRDIRS}
ifeq ($(USE_NSS),true)
CRYPTO_OBJS=ikev1_nss.c ikev2_nss.c
else
CRYPTO_OBJS=ikev1_crypto.o ikev2_crypto.o
endif


# Use MODP group described in RFC 5114
ifeq ($(USE_MODP_RFC5114),true)
DEFINES+=-DUSE_MODP_RFC5114
endif

ifeq ($(USE_DMALLOC),true)
DEFINES+=-DDMALLOC
LIBSPLUTO+= -ldmalloc
endif

ifeq ($(USE_LIBCAP_NG),true)
DEFINES+=-DHAVE_LIBCAP_NG
LIBSPLUTO+= -lcap-ng
endif

# NetworkManager support
ifeq ($(USE_NM),true)
DEFINES+=-DHAVE_NM
endif

# LABELED IPSEC support
ifeq ($(USE_LABELED_IPSEC),true)
DEFINES+=-DHAVE_LABELED_IPSEC
LIBSPLUTO+= -lselinux
endif
